Keepass Review

Thanks to the fact that it is open source, uses top-notch end-to-end encryption, and does not store passwords in a centralized database that can be hacked (and not to mention that it is completely free), KeePass is our top choice of password manager.

OUR RATING

4.5 / 5

KeePass is a free and open source (FOSS) password manager. Although not as slick as commercial offerings such as 1Password or LastPass, the fact that users have complete control over their encryption keys (which are generated locally and stored solely by user, so need not be shared with anyone), and that passwords are not stored on centralized database that is vulnerable to hacking, makes KeePass the most secure password manager available.

Pricing and Features

As a FOSS program, KeePass is completely free. In its basic form, KeePass is a stand-alone Windows-only program, but KeePassX, is an open source (and entirely compatible) clone available for OSX and Linux, as are iKeePass for iOS and Keepass2Android for Android.

Unlike the commercial more integrated solutions, advanced features in KeePass are added via an extensive library of plugins and extensions. These allow for great flexibility, the opportunity for customization, and improved security (for example using non-NIST encryption ciphers and on-screen keyboards), but this could prove daunting to users who want to keep things simple.

Fortunately, the only plugin that we would consider essential is one that provides browser integration (which we discuss later in this article.)

Sharing passwords across devices and platforms can be achieved by storing encrypted .kdbx files in any cloud storage account (such as Dropbox). Again, setting this up is not as intuitive as it is for commercial offerings, but because the files are encrypted by yourself on your computer, they are secure no matter how insecure the platform they are stored on (such as Dropbox!)

Aesthetics, usability and customer support

Like much FOSS software, KeePass is not as beautiful as its commercial rivals, which combined with a slightly higher learning curve may put the non-technically inclined off. KeePass is not difficult to use, however, so this should not deter anyone with even a modest amount computer know-how.

There is, of course, no official customer support, but a good FAQ is available, and the website Forum is lively.

Security and Privacy

KeePass is open source, which means that the code can be scrutinized by anyone qualified to do so to ensure that it does not contain backdoors or other weaknesses. Although this cannot guarantee that everything is above board, it is the best solution available.

Encryption is ‘end-to-end’, which means that it is performed on your desktop (or mobile device), and that only you know your master password or hold your key file (unless you chose to share it, of course!) Therefore, unless you want to share your master password or key file, no-one else can access your database.

The downside is that if you lose your password there is no recovery option! Users should, therefore, be very careful to memorize their master password or store tier key file securely.

One of the great things about this setup is that even if an adversary can access your .kdbx file (the encrypted file in which your passwords are stored), they will be unable to access the contents. This is why it is safe to store .kbdx files on insecure platforms such as Dropbox.

By default KeePass 2 uses strong 256-bit AES encryption with an SHA-256 password hash function to authenticate the data. ‘Classic’ KeePass also supported the TwoFish cipher, which we prefer because it is not NIST certified, but this and other ciphers can be easily added to KeePass 2 using optional plugins.

Those very concerned about security may also like to install a software keyboard plugin to foil keylogging software.

Using KeePass

Download the latest version of KeePass. Note that Versions 2.x are referred to as ‘Professional Edition’ while older versions are known as ‘Classic Edition’. A portable version of KeePass is also available that can be carried on a USB stick. We use the ‘Professional Edition’.

1. Create a new encrypted password database (stored as a .kdbx file) by clicking the icon to the top left of the main window. You can save it anywhere, but (as we discuss below) choosing a Dropbox (or similar) folder will allow easy syncing across devices.

2. All passwords in a .kdbx file are protected either by a master password or by a key file. Key files are usually more secure than passwords and can be carried on a USB stick, but it is vital not to lose them! For now we’ll stick with a master password. Make sure you choose one which is secure because this is the weakest link in the entire process.

3. Database settings – You can fill in the ‘General’ tab as you see fit.

By default KeePass 2 uses strong AES-256 encryption with an SHA-256 password hash function to authenticate the data. Here we have used TwoFish encryption instead (in KeePass 2.0 this requires a separate plugin – just download it and unzip into the KeePass install folder).

4. The other settings can be left alone. Click ‘OK’ to create your secure password database and open the main KeePass window. Create a new password by clicking on the ‘Add Entry’ icon.

KeePass will automatically generate a secure password for you, and you can link it to a particular website and set an expiry date.

By clicking on the ‘Generate a password’ icon next to the ‘Quality’ indicator, you can tailor the password to be generated. This can be useful with websites (etc.) that are fussy about what password is used.

The main screen allows various password management functions. The ‘Open URL’ button will open your default browser at the webpage linked to the password.

One handy feature of KeePass is that it can import passwords from a broad range of sources, including from the Firefox password manager.

A portable version of KeePass is available that can be carried on a USB stick, and while it does not support automatic cloud syncing across devices, similar functionality can be had by a storing the .kdbx file in a cloud storage folder (such as a Dropbox folder). The only real catch with this is that you will have to re-open the .kbdx file to update with the latest passwords.

Browser integration

By far the most useful plugins for most users will ones that allows full browser integration. We use PassIFox for Firefox (there is also a Chrome version called ChromeIPass).

1. Download the KeePassHttp plugin and install it – full instructions are provided on the download page, but just unzip to your KeePass folder.

3. Run KeePass with your .kdbx password file open (KeePass can be set to run at startup by going to Tools -> Options -> Integration).

4. Right-click in the form field of password dialogue, and select ‘Fill User & Pass’. If the web address matches an entry in your KeePass file, the relevant entry will be pasted in. If you have 2 or more matching entries, you will be asked to select one.

As you can see, integrating KeePass with your browser is a bit fiddlier than with most commercial solutions, but is also hardly rocket science…

Browser integration and cross-platform/device, etc. a bit fiddly to setup

Not very pretty

We hated

Nothing

Thanks to the fact that it is open source, uses top-notch end-to-end encryption, and does not store passwords in a centralized database that can be hacked (and not to mention that it is completely free), KeePass is our top choice of password manager.

There is, however, no getting away from the fact that KeePass has many rough edges compared to its commercial competition, and that to get the most from it requires a bit of rolling up your sleeves and getting your hands dirty (if only a little).

When it comes to keeping your passwords secure, KeePass is hard to beat, but we understand that some may find it fiddly to use. If this is likely to prevent you actually using it, then you are probably better off using a commercial (closed source) alternative that you do use (or use Firefox’s built-in password manager), rather not use a password a manager at all.

KeePass is a gread product, I am using it for years privately and in the office.
I just want to comment on using Dropbox …

I use btsync (now renamed https://www.resilio.com/individuals/)
to synchronize the kbdx file (and many other important folders too) between my desktop, laptop, Android phone and Synology storage. This allows me acces to all my passwords everywhere and additionally I have 4 copies of the kbdx file in case some HW dies. It was some work to do initially, but I am paranoid about using Dropbox. I am IT guy too, so it was easy for me, but I am sure anyone who can use the comp and read some instructions can do it too.

I think if the kbdx file is securely encrypted with a strong cipher then it doesn’t really matter where you store it. Resilio is a good option for the more paranoid, but I prefer the open source Sycthing instead.

Thanks for all the writing, I and I am sure there are many others’, appreciate it. You made a lot of these things easy.

Keepass is great for windows, but the fact that one has to use the likes of Dropbox and Google’s Drive does not sit well with me. So I experimented. Before I get to that, let me say this….

If Google is compromised why use it? And I know you have suggested to not walk with a mobile as they can track you etc etc, but for some that is not practical.

So back to the experiment – Google is suspect, so I deleted everything google I was allowed to and moved a phone of mine over to F-Droid. And so far I am not looking back. Regrettably I purchased some apps from Playst [all of which I can live without] but some makes the phone experience a little bit more tolerable and I kept those, but as far as I know they not dialling home.

So for all intents and purposed I have an F-droid phone. I have Keepass 2 on windows 8.1 and on phone I have KeePassDroid. All I do is copy the .kdbx file over to phone and [here is the trick] open with File Manager Pro [download from F-Droid, of course] and input your password and presto, the database opens.

Thanks! Moving away from Google is a very sensible thing to do if you care about privacy, but it is up to each individual to assess their threat model. With regards to storing KeePass .kbdx files on insecure cloud servers – remember that the file is securely encrypted (using Twofish-256 in my case). This means that it is secure, no matter where it is stored. The convenience of instantly syncing passwords across all my devices in this way trumps, for me, any general unease at using such services. I understand why others may not feel this way, however.

Great review, but I can’t agree in two points:
1) KeePass is very simple and intuitive. Maybe I use 5% of its features, but I found it very easy. ….OK, I’m IT guy, but I could learn my Mother how to use it.

2) Don’t tell anyone to use Dropbox, please. Especially it You wrote to users non-technical to the level making KeePass difficult to use.
If You store something out of Your computer/USB consider it available to (some part of) world. I’m sure that Dropbox has enough resources to brute-force most of master passwords if they only got the file. The same about people who could get access to their servers by illegal or legal (think NIST/NSA/…) methods.

1) This is, of course, a matter of personal opinion. I too find KeePass easy to use, but I do think that commercial options such as LastPass can be more intuitive.
2) Well… for the vast majority of ordinary users, Dropbox (or the NSA, etc.) is not going to try to brute force their passwords. If you are really worried about this, then you should use strong passwords (which KeePass itself can generate!) for a start. For ordinary users who want to sync their passwords across different devices, storing their .kbdx files on Dropbox is both convenient and much more secure than trusting LastPass or 1Password etc…

1. Create a new encrypted password database (stored as a .kdbx file) by clicking the icon to the top right of the main window. You can save it anywhere, but (as we discuss below) choosing a Dropbox (or similar) folder will allow easy syncing across devices.
I don’t see any icons at the top right of the main window that you click to create a new encrypted database, only icons I see are on the LEFT. Leaves me to wonder if your article is accurate, or are there more errors?